A security evangelist shares his best practices

The CIO-level business angle on the latest tech

For this week’s newsletter, I reached out to eIQnetworks’ Security and Compliance Evangelist, John Linkous. eIQnetworks  is the maker of SecureVue, a comprehensive security, log management and compliance automation software package for the enterprise. The new 3.2 version of SecureVue offers a 6-tier scalable architecture, enabling the security product to manage global security for the world’s largest enterprises. With this architecture, SecureVue can process up to a million events per second.

In his role as evangelist, Linkous gets a worldwide perspective of network security issues. I asked him to share with us his five best practices for information security:

Know Your Assets. If you don’t know what you have, you can’t manage it. Consequently, it’s critical for information security managers to have complete, up-to-date knowledge of their information assets, from infrastructure devices, to servers and workstations, peripherals, and data repositories such as databases and e-mail systems. While most information security organizations can identify what they know about their technology assets, it’s just as critical for them to have visibility into what’s not expected: the new device that suddenly shows up on the network; the unexpected wireless access point; the unusual network protocols moving across the firewall. These unanticipated assets can introduce massive risks into the environment, including new attack vectors that can be exploited.

Reduce the “Noise Level” of Information Security Monitoring. Information security is a discipline based on discovering the unusual. While it’s easy to marshal the forces of an incident response team to address something obvious – say, a network worm that’s propagating throughout the environment – it’s not as easy to address seemingly more esoteric abnormalities, such as failed logons.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

For this week’s newsletter, I reached out to eIQnetworks’ Security and Compliance Evangelist, John Linkous. eIQnetworks  is the maker of SecureVue, a comprehensive security, log management and compliance automation software package for the enterprise. The new 3.2 version of SecureVue offers a 6-tier scalable architecture, enabling the security product to manage global security for the world’s largest enterprises. With this architecture, SecureVue can process up to a million events per second.

In his role as evangelist, Linkous gets a worldwide perspective of network security issues. I asked him to share with us his five best practices for information security:

Know Your Assets. If you don’t know what you have, you can’t manage it. Consequently, it’s critical for information security managers to have complete, up-to-date knowledge of their information assets, from infrastructure devices, to servers and workstations, peripherals, and data repositories such as databases and e-mail systems. While most information security organizations can identify what they know about their technology assets, it’s just as critical for them to have visibility into what’s not expected: the new device that suddenly shows up on the network; the unexpected wireless access point; the unusual network protocols moving across the firewall. These unanticipated assets can introduce massive risks into the environment, including new attack vectors that can be exploited.

Reduce the “Noise Level” of Information Security Monitoring. Information security is a discipline based on discovering the unusual. While it’s easy to marshal the forces of an incident response team to address something obvious – say, a network worm that’s propagating throughout the environment – it’s not as easy to address seemingly more esoteric abnormalities, such as failed logons.

In a large enterprise on a typical Monday morning, security monitoring teams may see dozens, perhaps even hundreds of failed logons from employees who have “fat-fingered” their credentials. Unfortunately, most organizations don’t have the resources to track down each and every failed logon to determine if it was accidental or malicious. Instead, they acknowledge the event in their console – but of course, that’s not really security.

What if one of those failed logons was the first step in a slow brute-force credential attack? Without the ability to reduce the “noise level” of security monitoring by eliminating the false positives, security teams aren’t practicing true security.

One solution to this problem is correlation. For example, if a security monitoring team member were able to trigger an alert not on every single failed logon, but only those logons onto systems which subsequently experienced a successful logon followed by a high-privilege event – such as the creation of a new user account, or the installation of new software – the security engineer would be able to establish context around the initial failed logon event, perhaps providing the proverbial “needle in the haystack.”

Linda Musthaler is a principal analyst with Essential Solutions Corporation.